All-in-one Risk Management Platform

Contractors Under CCPA/CPRA

Under the CCPA, three types of entities were defined: businesses, service providers, and third parties. Now the CPRA introduced a 4th type: Contractors. Let's dive into what that means!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

Contractors Under CCPA/CPRA

According to the CCPA (California Consumer Privacy Act), determining if a vendor is considered a service provider or not is crucial to ensuring compliance. 

Californians have the right to opt-out of having their personal information sold to third parties; however, service providers are not third parties (based on the official definition). Because of this definition, disclosures or transfers of personal information to a service provider will be exempt from this opt-out right. 

This is important to understand since the data privacy law has imposed additional responsibilities on businesses that sell personal information. For example, it is necessary to disclose this sale to consumers in the written privacy policy, give consumers the option to opt-out, and post a link on their homepage for consumers to click if they want to avoid having their personal information sold. 

Since the definition provided by the CCPA related to selling personal information is slightly vague, knowing what examples of these disclosures to service providers benefit businesses. 

The Impact of CPRA (California Privacy Rights Act)

Sometimes referred to as CCPA 2.0, the CPRA has made several changes to the current law, including a new outside party – contractors. 

According to the amended CCPA, the role of contractors is like service providers, but not the same. Contractors are not seen as third parties. This means that any disclosure of personal information to a contractor is exempt from the definition of a sale by the law. 

Service Providers vs. Contractors 

While CCPA contractors and service providers are similar in some ways, they are by no means identical. To better understand the differences, consider the definition of both as amended by the CPRA:

  • Service Provider: A person who processes personal information for a business and receives on behalf of or from the business, consumer information for a specific business purpose based on a written contract. 
  • Contractor: A person whom the business gives consumers personal information for some business purpose, based on a written contract with the business. 

It is worth noting that in these definitions, the word “person” is not limited to an individual. It can also include nonprofits, corporations, partnerships, and any other type of group or organization. Also, the written contract with a contractor or service provider must have specific provisions in place that limit the retention and use of personal information. 

To some, those definitions may seem the same; however, there are some differences. For example, the definition of a contractor is broader. It includes anyone a business provides consumer’s personal information to for business purposes. On the other hand, the service provider is limited to someone who must “process information” for the business. Additionally, the contractor can only receive personal information from the business, while a service provider can receive it on behalf of the business. This shows that businesses have more control over contractors versus service providers.

star iconstar iconstar iconstar iconstar icon
“Saved our business.”
star iconstar iconstar iconstar iconstar icon
"Easy to use!"
star iconstar iconstar iconstar iconstar icon
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

Like what you see?  Learn more below

Under the CCPA, three types of entities were defined: businesses, service providers, and third parties. Now the CPRA introduced a 4th type: Contractors. Let's dive into what that means!
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
CCPA vs CPRA vs GDPR
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
HIPAA vs. GLBA
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
GDPR vs. HIPAA
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)